named mystery -- error: dumping master file:
olli at lurza.secnetix.de
Mon Sep 1 17:17:34 UTC 2008
Alex Goncharov wrote:
> There is no question about it: I think I've done adequate reading and
> will likely take a look at the Guide again, to see if this situation
> and your resolution are described there. By my recollection, it is
> not (BIND FAQ discusses permissions for `sl' -- the slave directory,
> but this is not the same as "master".) Do you think it is?
Forget the FAQ. You should read the ARM (Administrator
Reference Manual), especially the section on dynamic
Of course bind must be able to write to the "slave" and
"dynamic" directory, so it is able to store slave zones
and dynamic updates. There is no reason that bind needs
write access to static master zone files, because, well,
> Now, how does the argument that master zones should not be dynamically
> updatable, and `bind' must not have write permissions over the
> directory keeping the master zone files -- how does this live with
> your resolution to my problem? I am quite happy to accept it (if down
> the road nothing is going to "chown root dynamic") but I don't see
> much sense in doing this trick -- my master zone files are as
> vulnerable now as if they lived under `master' and the conceptual
> structure of the system seems worse to me: after all, what now lives
> under `dynamic' is a "master" zone (marked as such in `named.conf').
Yes, of course, there are static master zones and dynamic
master zones. They all are really master zones, the only
difference is that the dynamic ones have been enabled for
dynamic updates. This is often used for dynamic clients
in internal networks or VPNs.
The static zones live in the "master" directory, and the
dynamic ones live in the "dynamic" directory.
Some people advise against serving both static (public)
and dynamic (internal) master zones from the same server.
That's precisely for the security reason you mentioned:
If an external attacker could gain access to your named
via an exploit, he could manipulate your dynamic zones
(though not your static ones if permissions are configured
correctly). Therefore it might be a good idea to serve
static and dynamic zones from different named instances
in separate jails that are bound to appropriate (public
vs. internal) IP addresses.
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"Whatever happened to the days when hacking started
at the cerebral cortex, and not at the keyboard?"
-- Sid on userfriendly.org by Illiad, 2007-06-20
More information about the freebsd-current